Security is a Process, Not a Destination: Have You Given It Your All?

After 20 years without a breach in my identity or personal information I was a recent victim of the Adobe breach.

I did all the right things. I never used the same password for any two sites, and I made it long and strong. I didn’t share the fact that I had an Adobe account on any social networks, and I used a specific credit card that could be easily canceled in the event something happened.

But this raises the question: Did Adobe do all the right things to protect my data? Are your customers wondering the same thing about you?

As I’ve preached for over 20 years, security is a process – not a destination. You don’t wake up one morning and arrive at a place called, secure. It’s a continuous, ongoing process of always staying one step ahead of the threats.

The Weakest Link

Does your company have a system in place that provides for constant balances and checks?

This means a security team that constantly reviews procedures and checks periodically to make sure they’re being followed. Do you even have a network or security policy? Better still, do you have a security team?

In technology, as well as security in general, there’s the axiom of the ‘weakest link.’

You could have the top of the line Internet speed of gigabits per second (Gbps) but if your router will only process 100 megabits per second (mbps), guess how much speed you’re going to get? That’s right, the 100 mbps because it’s the weakest link.

Similarly, your staff is usually the weakest link in your security chain. They leave their workstation logged on when they walk away for lunch or break. They open email attachments from unknown senders that they should have deleted. They surf social media exposing your network to a plethora of malware goodies.

But they’re not the only weak link in your organization!

What about your vendors? Do your vendors have access to your network from within or without? All it takes is one contaminated USB flash drive inserted by a vendor to wreak havoc or provide a back door into sensitive data customer data.

Defend Your Perimeter

You don’t need a professional to conduct a security audit to find out if your network is wide open. There is a simple test you can perform right at your desk, right now.

Then, put that number in your web browser with the http:// in front of it. If your router login pops up try using the basic default username and password to login. They are: admin and password respectively.

And you could try other possibilities too. In fact, you could have fun trying to hack the password.

You would be surprised how many big companies fail to change the default user name and password in their router! A few years ago, there was a breach at a power plant of a public utility in the U.S. because the hacker used the default router username and password. It had never been changed.

Large companies have their hands full with staffing issues and sometimes the tech department is stretched beyond its limits. And this is the reason why simple security procedures get lost or bypassed.

Protect Important Data

Giving your customer data the security it deserves means you need to protect that data at all costs.

Another poorly followed security rule is the “least access” rule. Certified security professionals and network administrators are taught to assume no one should have access to anything. Then, you add permissions based on need.

Does Jill the receptionist really need access to those payroll records? Does Bruce the admin really need access to customer billing and credit card records?

It doesn’t take high powered administration software to allow and deny permissions to user groups. Nearly all operating systems have it installed already. And if not, there are many free open source or inexpensive alternatives available for securing your network.

It’s up to you to protect the important data your customers have trusted with you. And with big data, comes big responsibility.

Who’s Minding the Logs?

Even the smallest intruder leaves a footprint and that footprint can be found in logs. Server logs, router logs, firewall logs, and a host of other logs. Is your company keeping logs? Is someone reviewing them regularly?

A breach usually doesn’t happen on first access. There are usually telltale signs that someone has been snooping around your network first. Would someone in your organization be able to spot it?

Take Away

I’d like to leave you with a few brief tips to help ensure you’re giving it your all when it comes to protecting your customers’ data.

Defend your perimeter. Make sure your router is secure and the firewall is enabled and keeping a log. Have someone periodically review the log for signs of trouble.

Don’t dismiss the obvious. As with the default user name and password in the router, don’t assume the basic security procedures are being followed or maintained. Have a system of balance and checks in place to make sure the most ridiculous, basic security procedures are being met.

Protect your sensitive data. Only those on a need to know basis should have access to sensitive customer data. Develop a ‘least access’ mindset.

Mind the logs. Set up, maintain and regularly review logs from the raw server logs through the firewall and Operating System logs. Anything out of the ordinary needs to be looked at closely.

Remember, security is a process, not a destination and your customers are counting on you to give it your all in protecting the information they’ve entrusted you with. Don’t make them regret doing business with you.

About the Author:Debbie Mahler (@DebbieMahler) is the CEO of Internet Tech Specialists. She’s an online instructor for Ed2go, a division of Cengage Learning and a global education provider. She teaches Introductory and Advanced PC Security courses for all English-speaking colleges and universities.

Editor’s Note:The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

What a great article! Though written for large companies, even the solo-preneur can apply most of this information to ensure they are being secure (protecting their clients, and their own, data). Thanks for the tips!

Thanks for stopping by and taking the time to comment Cindy! And yes, this does apply to every business – large or small!

Joe Curcio

People simply don't know or even understand how exposed they are in cyberspace. It is a complicated business and even the best of us get compromised at some point or another. Because the cyber-threat landscape is ever changing, security MUST be a process and not a destination or you will most certainly get burned. I suggest every business executive make internet security their new hobby, because the more you learn… the more you realize how exposed you are. If you haven't been compromised yet… "as best you can tell…" you will be if you don't get yourself smart about security.

Thanks Joe. Could not agree with you more. A lot of my students (who also work in businesses) are stunned to find out "what it is they didn't know!" And it's the age old question of: how far down the rabbit hole do you want to go?

Colin Robbins

Having made the assertion security is a process, I find it a little odd that 5 tips are largely technical. I agree these are important, but at a corporate level there are a set of pure process things that should also be performed, and are equally important.

Really? What's so technical about the 5 tips Colin? I'm obviously not seeing this from the perspective you are. Please help me understand.

Don O'Neill

Those who have proprietary data and information they cannot afford to lose and don't know hot to protect should not use the Internet or Cloud as a destination. So for those people, nonuse is a destination.

Don, I agree with you on one portion of that statement. People should not use the cloud period!

Nemo Dat

Great article.
It highlights that effective protection can only be achieved through teamwork between partners. You showed that even an expert like yourself, when let down by a business partner is as vulnerable as a novice. Business and customers have a common enemy: Thieves.

In a world of duplicity and deceptions, 'security' and 'trust' may have lost their meanings as defined in dictionaries. This jeopardizes knowledge economies as they cannot prevail if their assets are beeing vacuumed off through ineffective data protection.
Then, 'security' may be a destination.

Point taken Nemo. This article just brushed the surface of the entire security field. Identity theft, IP theft, and even business process theft can take a toll on business owners. And there's a current article on this blog that covers an IT contractor that was trusted. Insider threats are also a possibility. That's why I say it's a process. You have to constantly watch your assets from a 360 degree view!

Hi Debbie – have to agree with you , it is a process , it is something that we have to be always checking , My belief is that it is becoming harder and harder to keep up and the reality of this is for most people this translates to its getting easier to suffer loss at the hands of others. The majority are not aware of this and are more often completely unprepared for what comes about when this happens .